BY DR. SCOTT VANSTONE
This issue of Code & Cipher focuses on security standards & associated standards bodies. It takes several years to come up with a good security standard. When developing a new security standard, it is important to choose protocols that have withstood the test of time, such as TLS and IPSec. This way, you can ensure strong and reliable security. The cost of weak standards and implementations spreads far beyond reputation: they can result in the loss of hundreds of millions of dollars to the industry.
WiFi (802.11) is a high profile example of a weak security standard that did use standard cryptographic algorithms, but not existing, proven protocols. The initial release was flawed. What resulted is that the typical enterprise deployment for WiFi became to install wireless access points outside the enterprise network and outside the firewall. While this isn’t necessarily bad, it does require the enterprise to deploy a VPN to gain access, and therefore adds more cost.
Now add Voice over IP (VoIP) into the mix. VoIP over the enterprise network is projected to save millions, because the same network lines that carry data can also be used to transmit voice calls.
VoIP transportation and signaling protocols are vulnerable to attack simply because they travel over the existing enterprise data network. If a hacker accesses the voice transport, they can quite easily listen to any call. Attacking the signaling protocol would allow someone to make unlimited international calls or re-direct inbound calls, all at the expense of the hacked organization. These security threats must be dealt with to prevent the associated losses. There are VoIP security standards evolving to address these issues.
Using VoIP over a wireless network would allow a user to be completely mobile in the enterprise for voice and data. However, VoIP and WiFi can't easily coexist in the enterprise today because the access points are outside the enterprise network. This means that you have to run yet another security protocol such as SSL or VPN on top of VoIP and WiFi security. This represents enormous cost to the enterprise—all because of poor choices made during WiFi security standards process.
To be fair, WiFi security standards are evolving; unfortunately the new standards require major hardware upgrades and the addition of authentication servers for the enterprise. It will certainly take some time to see how well these technologies co-exist in the emerging enterprise.
Much of this could have been easily avoided if industry first considered using well established core standards that are discussed in this issue of Code and Cipher. We have learned that there is no need to re-invent the wheel for every new communication protocol. In fact, many of the standards described here have modular components for encryption, key agreement and more, so they can be effectively used to address almost any situation.
ECC is included in numerous standards around the world. This issue of Code and Cipher focuses on three key standards bodies that incorporate ECC: ANSI, IETF and NIST.